Learn how to set up and configure the Okta Device Trust integration in Kandji
- Overview
- Prerequisites
- Integration setup
- Configuring device platforms in Okta
- Modifying a device integration in Okta
- Configuring device platforms in Kandji
Overview
Okta Device Trust allows admins to ensure that Kandji manages their Apple devices before end users can access Okta-protected apps from their devices. This, in part, enables Okta FastPass for a passwordless authentication experience for end users, enabling them to sign in to Okta and their Okta resources without needing a password. For iOS, iPadOS, and macOS devices specifically, FastPass allows users to leverage Face ID and Touch ID to access resources. Okta FastPass is a feature of Okta Identity Engine.
Prerequisites
During the integration setup process, Kandji will check for the presence of the following items. These items must be configured in the Okta tenant before setting up the ODT integration with Kandji. A warning modal will be displayed if Kandji finds one or more of these items missing.
- The Okta tenant must be migrated from Okta Classic Engine to Okta Identity Engine
- Okta FastPass must be enabled in the Okta tenant
- The Okta Verify Apple App Store app must be assigned to Kandji via Apps and Books in Apple Business Manager.
- The Okta user setting ODT should have the super admin in Okta. The super admin credentials are only needed for the initial authentication and adding if the API Service Integration.
- Okta Adaptive MFA is required in order to add Device integrations in Okta.
Integration setup
- Login to your Kandji tenant.
- Navigate to Integrations
- Click Discover Integrations.
- In the Security section, find Okta Device Trust.
- Click Add and configure.
- In the Welcome to Okta Device Trust modal, click GetStarted.
In the Specify your Okta Domain modal, enter your Okta tenant URL and click Next.
In the Sign in with Okta modal, click Sign in with Okta. This will open a new browser window and navigate you to your Okta tenant, where you will create an API Service Integration. Once that is done, you will return to Kandji to continue the ODT integration setup.
The Okta user used to configure ODT must have the super admin role in Okta.
Once signed into Okta, you should be on the Authorize Kandji Device Trust integration page. On this page, click Install & Authorize. The Kandji API Service integration uses the following scopes:
okta.devices.manage
okta.devices.read
okta.authenticators.read
On the Copy your client secret modal, copy the client secret to a safe place for use later in Kandji. This is the only time you will be able to view it.
Click Done.
On the Kandji Device Trust overview page, copy the Client ID to a safe place for use later in Kandji.
Head back to Kandji to continue the ODT integration setup.
In the Complete the following tasks in Okta modal, click Next.
In the API Service Integration Credentials modal, enter the Client ID and Client Secret copied from earlier.
Click Connect to Okta. Kandji will check in the background to ensure the Okta tenant is on Okta Identity Engine and Okta FastPass is enabled.
Configuring device platforms in Okta
This section outlines creating device integration in Okta. This information is used when adding device platforms in Kandji.
Okta Adaptive MFA is required in order to add Device integrations in Okta.
Adding device integrations in Okta
- Log in to the Okta admin portal
- In the left-hand navigation, click Security > Device Integrations
- Click Add platform
Add macOS as a device integration
- On the Select platform step, select Desktop (Windows and macOS only).
- Click Next.
- On the Configure management attestation step, select Use Okta as certificate authority
- For SCEP URL challenge type, select Dynamic SCEP URL and Generic.
Next to SCEP URL, click Generate.
Copy the SCEP URL, Challenge URL, Username, and Password to a safe place. Later, in Kandji, this information will be used to set up MacOS as a device platform.
- This will be the only time you can view the password. If needed, you can rotate it later in the menu from the main Device integrations page in Okta
Click Save.
Add iOS as a device integration
- On the Select platform step, select iOS.
- Click Next.
- On the Configure management attestation step, copy the Secret key to a safe place for use later in Kandji when adding iOS as a device platform in Kandji.
- This will be the only time you can view the secret key. If needed, you can rotate the key later in the menu from the main Device integrations page in Okta.
- For Device management provider, enter a descriptive, user-friendly value.
- For Enrollment link, enter your Kandji tenant’s device enrollment link. (Example:
https://accuhive.kandji.io/enroll
whereaccuhive
should be your tenant subdomain.) Click Save
Modifying a device integration in Okta
Rotate a macOS challenge password or iOS Secret
- Go to the Device Integrations page
- Next to the integration that you want to change, click the Actions menu
- Click the reset option for that platform
- Click the Reset button in the modal that appears
Delete a macOS challenge password or iOS Secret
- Go to the Device Integrations page
- Next to the integration that you want to change, click the Actions menu
- Click Delete
- Click the Delete button in the modal that appears
Configuring device platforms in Kandji
- In the Configure device platforms modal, select the platforms to configure. You can configure macOS, iOS, or both.
- Click Next.
If selecting macOS, enter the required information in the Add macOS as a device platform modal and click Next.
If selecting iOS, enter the required information in the Add iOS as a device platform modal and click Finish setup.
In the Okta Device Trust setup complete modal, you can choose View integration settings to see additional information about the ODT integration in Kandji or choose Go to Library item to configure the Okta Verify app for ODT deployment.
Up next
Deploy ODT to your Apple devices using the Okta Device Trust: Configuring the Okta Verify Library item support article.